Auto update: Is this secure?

Question

Dot Net Auto Update

I felt like .net was lacking a simple secure automatic update library so I\'ve implemented something and put it up here. Before anyone considers

Answer 1

There is some very nice comment and solution in this post. But I am strongly agree with dr. evil. You should use SSL connection for update and the certificate must be saved (built on) in the client. So, you can make sure the client is not going to accept fake certificate. I think it will effectively immune the client from the MiTM attack.

NOTE: If client can accept unauthorized certificate then MiTM attack can be successful, so do not give this option to the client.

Edit: I think SSL certificate can be self signed in this case.